Privacy Attestation and Assurance Engagements

As companies continue to expand globally and adjust their business models to support changing market drivers, the opportunities for companies and the risks related to the privacy of personal information (PI) or personally identifiable information (PII) are also expected to grow1. This growth is expected to accelerate the demand for attestation and assurance services provided by CPAs and chartered accountants (CAs) with respect to privacy. The following table identifies the attestation and assurance standard that provides a framework for each of these privacy engagements, as well as the interpretive attestation and assurance guidance for performing and reporting on these engagements.

Engagement Risk and Acceptance Considerations

Privacy Attestation and Assurance Services

Professional Standard That Provides the Framework for the Engagement

Interpretive Attestation and Assurance Guidance for Performing and Reporting on the Engagement

Criteria for Evaluating and Reporting on the Subject Matter or Assertion

The examination engagement in appendix B, “CPA and CA Practitioner Services Using Generally Accepted Privacy Principles,” of the CPA and CA practitioner version of Generally Accepted Privacy Principles.

or

The AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2). (This engagement is part of a series of AICPA service organization control [SOC] engagements and has been designated as a SOC 2 engagement. For additional information about SOC engagements, see the discussion beginning with paragraph 1.08 of the guide.)

The criteria for evaluating and reporting on controls over privacy are the criteria for the privacy principle in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids).

The criteria for evaluating and reporting on controls over privacy are the criteria for the privacy principle in TSP section 100.

The criteria for evaluating and reporting on management’s description of the service organization’s system are the criteria in paragraphs 1.34–.35 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2).

Section 5025, “Standards for Assurance Engagements,” of the CICA Handbook—Assurance.

The audit engagement described in appendix B of the CPA and CA practitioner version of Generally Accepted Privacy Principles.

The criteria for evaluating and reporting on controls over privacy are the criteria found in Generally Accepted Privacy Principles.

CPA and CA practitioners who face increased demand to provide privacy attestation and assurance services are facing new, changing, and unique engagement risks that should be identified and evaluated prior to accepting a privacy attestation and assurance engagement. It is critical that the practitioner fully define the scope of the engagement, identify and understand the nature and extent of these evolving risks, and develop responses to address these risks. Before accepting an engagement, the practitioner should consider the following:

The integrity and reputation of management of the entity and significant shareholders or principal owners

The likelihood that association with the client will expose the practitioner to undue risk of damage to his or her professional reputation or financial loss or expose report users to misinformation and financial or other loss

Privacy attestation and assurance engagements are subject to risks related to the following:

Accepting or continuing an attestation and assurance engagement in general (general attestation and assurance risk considerations)

The special characteristics of a privacy attestation and assurance engagement (special risk considerations for privacy)

A practitioner should accept or continue an engagement to report on controls over the privacy of PII at an entity only if both the general and special risks have been considered and addressed.

1The terms personal information and personally identifiable information are used interchangeably in this document. These and other privacy-related terms are defined in appendix A, “Glossary,” of Generally Accepted Privacy Principles.